Fix dummy server

Author: ameba23

.github/workflows/test.yml

@@ -33,7 +33,7 @@ jobs:
           ${{ runner.os }}-cargo-
 
     - name: Run cargo clippy
-      run: cargo clippy -- -D warnings
+      run: cargo clippy --workspace -- -D warnings
 
     - name: Run cargo test
-      run: cargo test
+      run: cargo test --workspace --all-targets

Cargo.lock

@@ -9,19 +9,15 @@ publish = false
 attested-tls-proxy = { path = ".." }
 tokio = { version = "1.48.0", features = ["full"] }
 axum = "0.8.6"
-tokio-rustls = { version = "0.26.4", default-features = false, features = ["ring"] }
 thiserror = "2.0.17"
 clap = { version = "4.5.51", features = ["derive", "env"] }
-webpki-roots = "1.0.4"
-rustls-pemfile = "2.2.0"
 anyhow = "1.0.100"
 configfs-tsm = "0.0.2"
 hex = "0.4.3"
 serde_json = "1.0.145"
 serde = "1.0.228"
 tracing = "0.1.41"
 tracing-subscriber = { version = "0.3.20", features = ["env-filter", "json"] }
-rcgen = "0.14.5"
 parity-scale-codec = "3.7.5"
 reqwest = { version = "0.12.23", default-features = false }
 

dummy-attestation-server/Cargo.toml

@@ -1,26 +1,24 @@
-use std::{
-    net::{IpAddr, SocketAddr},
-    sync::Arc,
-};
+use std::net::SocketAddr;
 
-use attested_tls_proxy::{attestation::AttestationExchangeMessage, QuoteGenerator};
+use attested_tls_proxy::attestation::{
+    AttestationExchangeMessage, AttestationGenerator, AttestationVerifier,
+};
 use axum::{
     extract::{Path, State},
     http::StatusCode,
     response::{IntoResponse, Response},
 };
 use parity_scale_codec::{Decode, Encode};
 use tokio::net::TcpListener;
-use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
 
 #[derive(Clone)]
 struct SharedState {
-    attestation_generator: Arc<dyn QuoteGenerator>,
+    attestation_generator: AttestationGenerator,
 }
 
 pub async fn dummy_attestation_server(
     listener: TcpListener,
-    attestation_generator: Arc<dyn QuoteGenerator>,
+    attestation_generator: AttestationGenerator,
 ) -> anyhow::Result<SocketAddr> {
     let addr = listener.local_addr()?;
 
@@ -41,20 +39,21 @@ async fn get_attest(
     State(shared_state): State<SharedState>,
     Path(input_data): Path<String>,
 ) -> Result<(StatusCode, Vec<u8>), ServerError> {
-    let (cert_chain, _) = generate_certificate_chain("0.0.0.0".parse().unwrap());
     let input_data: [u8; 64] = hex::decode(input_data).unwrap().try_into().unwrap();
 
-    let attestation = AttestationExchangeMessage::from_attestation_generator(
-        &cert_chain,
-        input_data[..32].try_into().unwrap(),
-        shared_state.attestation_generator,
-    )?
-    .encode();
+    let attestation = shared_state
+        .attestation_generator
+        .generate_attestation(input_data)
+        .await?
+        .encode();
 
     Ok((StatusCode::OK, attestation))
 }
 
-pub async fn dummy_attestation_client(server_addr: SocketAddr) -> anyhow::Result<()> {
+pub async fn dummy_attestation_client(
+    server_addr: SocketAddr,
+    attestation_verifier: AttestationVerifier,
+) -> anyhow::Result<AttestationExchangeMessage> {
     let input_data = [0; 64];
     let response = reqwest::get(format!(
         "http://{server_addr}/attest/{}",
@@ -68,10 +67,14 @@ pub async fn dummy_attestation_client(server_addr: SocketAddr) -> anyhow::Result
 
     let remote_attestation_message = AttestationExchangeMessage::decode(&mut &response[..])?;
     let remote_attestation_type = remote_attestation_message.attestation_type;
-    println!("{remote_attestation_type}");
 
-    // TODO validate the attestation
-    Ok(())
+    println!("Remote attestation type: {remote_attestation_type}");
+
+    attestation_verifier
+        .verify_attestation(remote_attestation_message.clone(), input_data)
+        .await?;
+
+    Ok(remote_attestation_message)
 }
 
 struct ServerError(pub anyhow::Error);
@@ -92,24 +95,6 @@ impl IntoResponse for ServerError {
     }
 }
 
-/// Helper to generate a self-signed certificate for testing
-fn generate_certificate_chain(
-    ip: IpAddr,
-) -> (Vec<CertificateDer<'static>>, PrivateKeyDer<'static>) {
-    let mut params = rcgen::CertificateParams::new(vec![]).unwrap();
-    params.subject_alt_names.push(rcgen::SanType::IpAddress(ip));
-    params
-        .distinguished_name
-        .push(rcgen::DnType::CommonName, ip.to_string());
-
-    let keypair = rcgen::KeyPair::generate().unwrap();
-    let cert = params.self_signed(&keypair).unwrap();
-
-    let certs = vec![CertificateDer::from(cert)];
-    let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(keypair.serialize_der()));
-    (certs, key)
-}
-
 #[cfg(test)]
 mod tests {
 
@@ -119,13 +104,17 @@ mod tests {
 
     #[tokio::test]
     async fn test_dummy_server() {
-        let attestation_generator = AttestationType::None.get_quote_generator().unwrap();
+        let attestation_generator = AttestationGenerator {
+            attestation_type: AttestationType::None,
+        };
 
         let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
         let server_addr = listener.local_addr().unwrap();
         dummy_attestation_server(listener, attestation_generator)
             .await
             .unwrap();
-        dummy_attestation_client(server_addr).await.unwrap();
+        dummy_attestation_client(server_addr, AttestationVerifier::do_not_verify())
+            .await
+            .unwrap();
     }
 }

dummy-attestation-server/src/lib.rs

@@ -1,7 +1,10 @@
-use attested_tls_proxy::attestation::AttestationType;
+use attested_tls_proxy::attestation::{
+    measurements::get_measurements_from_file, AttestationGenerator, AttestationType,
+    AttestationVerifier,
+};
 use clap::{Parser, Subcommand};
 use dummy_attestation_server::{dummy_attestation_client, dummy_attestation_server};
-use std::net::SocketAddr;
+use std::{net::SocketAddr, path::PathBuf};
 use tokio::net::TcpListener;
 use tracing::level_filters::LevelFilter;
 
@@ -30,6 +33,9 @@ enum CliCommand {
     Client {
         /// Socket address of a dummy attestation server
         server_addr: SocketAddr,
+        /// Optional path to file containing JSON measurements to be enforced on the server
+        #[arg(long, env = "SERVER_MEASUREMENTS")]
+        server_measurements: Option<PathBuf>,
     },
 }
 
@@ -64,12 +70,30 @@ async fn main() -> anyhow::Result<()> {
                 serde_json::Value::String(server_attestation_type.unwrap_or("none".to_string())),
             )?;
 
-            let attestation_generator = server_attestation_type.get_quote_generator()?;
+            let attestation_generator = AttestationGenerator {
+                attestation_type: server_attestation_type,
+            };
 
             let listener = TcpListener::bind(listen_addr).await?;
             dummy_attestation_server(listener, attestation_generator).await?;
         }
-        CliCommand::Client { server_addr } => dummy_attestation_client(server_addr).await?,
+        CliCommand::Client {
+            server_addr,
+            server_measurements,
+        } => {
+            let attestation_verifier = match server_measurements {
+                Some(server_measurements) => AttestationVerifier {
+                    accepted_measurements: get_measurements_from_file(server_measurements).await?,
+                    pccs_url: None,
+                },
+                None => AttestationVerifier::do_not_verify(),
+            };
+
+            let attestation_message =
+                dummy_attestation_client(server_addr, attestation_verifier).await?;
+
+            println!("{attestation_message:?}")
+        }
     }
 
     Ok(())

dummy-attestation-server/src/main.rs

@@ -15,7 +15,7 @@ use tdx_quote::QuoteParseError;
 use thiserror::Error;
 
 /// This is the type sent over the channel to provide an attestation
-#[derive(Debug, Serialize, Deserialize, Encode, Decode)]
+#[derive(Clone, Debug, Serialize, Deserialize, Encode, Decode)]
 pub struct AttestationExchangeMessage {
     /// What CVM platform is used (including none)
     pub attestation_type: AttestationType,